Results 1 to 9 of 9

Thread: Spoofed Email sent from support@domain.com

  1. #1
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default Spoofed Email sent from support@domain.com

    A user received four emails this morning, not filtered out as spam from support@<mydomain>.com but the reply to is something else, ie spoofed.

    "Dear Customer,

    This e-mail was send by <My domain>.com to notify you that we have temporanly prevented access to your account.

    We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions.

    (C) <My domain>.com"

    With a zip file.

    Any one who can felt me adjust my spam rules to block these type of emails would be appreciated.

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,568
    Rep Power
    57

    Default

    What happens if you hit the Junk button to mark them as spam, do they continue to arrive in the Inbox? What are your Kill/Tag percentages set to? Do the headers from the spam show anything significant? Don't forget that fighting spam is an ongoing process and it's never likely to be 100% perfect, the user will always get some spam in the Inbox.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default Message Info

    "Return-Path: atlantisz03@rossiter.com
    Received: from pobox1.virtc.com (LHLO pobox1.virtc.com) (192.168.1.9) by
    mail.virtc.com with LMTP; Thu, 29 Jul 2010 04:29:43 -0400 (EDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by pobox1.virtc.com (Postfix) with ESMTP id 1EB9A4182FD
    for <user@raytheonvtc.com>; Thu, 29 Jul 2010 04:29:43 -0400 (EDT)
    X-Virus-Scanned: amavisd-new at pobox1.virtc.com
    X-Spam-Flag: NO
    X-Spam-Score: -2.611
    X-Spam-Level:
    X-Spam-Status: No, score=-2.611 tagged_above=-10 required=2.4
    tests=[AM:BOOST=-10, BAYES_80=2, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
    RDNS_NONE=0.1, TVD_RCVD_SINGLE=1.351] autolearn=no
    Received: from pobox1.virtc.com ([127.0.0.1])
    by localhost (pobox1.virtc.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id IPWjskgiTB-B; Thu, 29 Jul 2010 04:29:37 -0400 (EDT)
    Received: from CMQUMVKFRQ (unknown [117.201.106.105])
    by pobox1.virtc.com (Postfix) with ESMTP id 32B3141802B
    for <user@raytheonvtc.com>; Thu, 29 Jul 2010 04:29:36 -0400 (EDT)
    Received: from 117.201.106.105 by mail.rossiter.com; Thu, 29 Jul 2010 13:57:47 +0530
    Message-ID: <000d01cb2ef7$ecb29f00$6400a8c0@atlantisz03>
    From: "raytheonvtc.com Member Services" <support@raytheonvtc.com>
    To: <user@raytheonvtc.com>
    Subject: raytheonvtc.com account notification
    Date: Thu, 29 Jul 2010 13:57:47 +0530
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0006_01CB2EF7.ECB29F00"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

    This is a multi-part message in MIME format.
    "

  4. #4
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default

    Quote Originally Posted by phoenix View Post
    What happens if you hit the Junk button to mark them as spam, do they continue to arrive in the Inbox? What are your Kill/Tag percentages set to? Do the headers from the spam show anything significant? Don't forget that fighting spam is an ongoing process and it's never likely to be 100% perfect, the user will always get some spam in the Inbox.
    1)Well the irony is that the user had some of the sames messages before in junk, I had him move the latest to the junk mail folder in any event.

    2) Im not sure I am familiary with Kill/Tag Percentage settings

    3) Read the above for the headers of an example.

    Ideally I know spam fighting is a constant battle, but Blocking spoofed emails should be more finite.

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,568
    Rep Power
    57

    Default

    Quote Originally Posted by VTC View Post
    1)Well the irony is that the user had some of the sames messages before in junk, I had him move the latest to the junk mail folder in any event.

    2) Im not sure I am familiary with Kill/Tag Percentage settings
    The settings are on the Global Settings/AS/AV tab and determine what gets tagged as spam and what gets killed.

    Quote Originally Posted by VTC View Post
    3) Read the above for the headers of an example.
    I would think that the following is causing the problem:

    Quote Originally Posted by VTC View Post
    tests=[AM:BOOST=-10, BAYES_80=2, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
    RDNS_NONE=0.1, TVD_RCVD_SINGLE=1.351] autolearn=no
    Have you got the sending company (mailserver?) whitelisted by any chance? I'm not familiar with that test and the only mention in the forums is this thread: https://www.zimbra.com/forums/admini...hite-list.html

    Quote Originally Posted by VTC View Post
    Ideally I know spam fighting is a constant battle, but Blocking spoofed emails should be more finite.
    Sorry, that wasn't meant to be a lecture.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default

    So in our current amavid.conf.in we set our domain to have a boost -10
    'mydomain.com' => -10.0
    Should we not be doing this?

  7. #7
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default

    I guess another question is, what is a good Kill/TAG ratio.

    For some reason we have some adstract numbers
    55 Kill
    12 tag.

  8. #8
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,568
    Rep Power
    57

    Default

    Quote Originally Posted by VTC View Post
    So in our current amavid.conf.in we set our domain to have a boost -10
    'mydomain.com' => -10.0
    Should we not be doing this?
    My guess would be no, you shouldn't, as that's what is giving that email a score that is 'not spam'. A question, why do you think that setting is necessary?

    Quote Originally Posted by VTC View Post
    I guess another question is, what is a good Kill/TAG ratio.

    For some reason we have some adstract numbers
    55 Kill
    12 tag
    I'd say they're a bit on the low side and may remove valid email or give false positives, I have my Kill/Tag set at 66/25 and find that works OK. The obvious thing is if you aren't seeing any false positives or you're not rejecting valid mail then I guess those settings are working for you - those numbers are always a best guess.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    VTC
    VTC is offline Senior Member
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    74
    Rep Power
    7

    Default

    These settings have been in place for awhile, and finally we get spam mail with our domain name and viola you have a problem...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] mailboxmanager does not start
    By jrefl5 in forum Administrators
    Replies: 18
    Last Post: 01-30-2012, 11:40 PM
  2. [SOLVED] Moving Zimbra to a new server
    By krolen in forum Administrators
    Replies: 109
    Last Post: 02-05-2009, 11:38 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. upgrade to 4.0.3 antispam does'nt work
    By lucanannipieri in forum Administrators
    Replies: 14
    Last Post: 11-07-2006, 03:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •